QRadar SIEM Integration Workflow

This section discusses how to integrate QRadar SIEM with VeloCloud and includes instruction on creating a Log Source group, importing the VeloCloud Edge DSM module, and setting up VeloCloud Edges as Log Source records.

Before data can be onboarded from the VeloCloud solutions, the QRadar SIEM service must be prepared to accept the data. This requires the following steps:
  1. Create a Log Source Group for your Edge appliances.
  2. Import the VeloCloud Edge DSM module.
  3. Set up VeloCloud Edges as Log Source records.

Once these steps are ready, you can configure the VeloCloud Edges in the VeloCloud Orchestrator to send log messages and flow telemetry data to their designated event collectors.

  1. Create a Log Source Group for your VeloCloud Edge Appliances:
    1. Log Source Groups help you manage larger-scale network deployments by associating default DSMs or Log Source Extensions with your network devices. Log source groups help filter event data to a particular group of devices.
    2. To view or create a Log Source Group, go to Admin > Data Sources > Events . Depending on your system, you might see something similar:
      Figure 1. QRadar - Data Sources
    3. In the main window, select Log Source Groups, then select New Group in the new window:
      Figure 2. Log Source Group Management
    4. A new window, titled Group Properties opens:
      Figure 3. Log Source Group Properties
      Table 1. Log Source Group Properties
      QRadar – Log Source Group Properties
      Parent The parent container for the newly created child object. Before you save your changes, make sure that the new Log Source Group is created under the correct container. QRadar supports nested Log Source Groups.
      Name Administrative name for the Log Source Group
      Description Summary of the log source group’s function or its contents.
  2. Import the VeloCloud Edge DSM module into your QRadar Deployment: Now that the Log Source Group is ready, we will import the custom DSM for VeloCloud Edge appliances. The DSM is delivered as a ZIP archive.
    1. To start with the import process, navigate to Admin > System Configuration , then select Extensions Management:
      Figure 4. Extensions Management
    2. In this window, you will see a list of extension modules that enhance QRadar functionality and their installation statuses. The list of available modules depends on your deployment. To upload the ZIP archive, select the Add button in the top-right corner. If you want to install it right away, select Install Immediately:
      Figure 5. Add New Extension
    3. After the upload, a new line item will appear in the Extensions Management window. From here you can install the DSM (if you have not done it already), remove the module or look at its contents (the output might vary based on the DSM contents):
      Figure 6. VeloCloud Edge DSM Contents
  3. Create a Log Source Record for Each VeloCloud Edge:
    1. You need to create a log source record for each VeloCloud Edge to make them trusted sources of events. You can use an extension called QRadar Log Source Managementto set up the Edge Syslog feeds. This extension may be different from the legacy Log Source Management interface, depending on your QRadar version.
    2. To launch the application, go to Admin > Apps > QRadar Log Source Management .
      Figure 7. Log Source Management
    3. After selecting on + New Log Source, select Single Log Source (if you want to add just one Edge appliance), or Multiple Log Sources (if you need to create log sources in bulk).
    4. Under Select Log Source Type, search for SD-WAN Edge:
      Figure 8. Select a Log Source Type
      Note: If you cannot find the SD-WAN Edge option, check the Admin tab to see if changes are to be deployed, or you can do a Deploy Full Configuration from Advanced. After a few minutes, the log source type should show up.
    5. Under Select a Protocol Type, it should default to Syslog, this is what we need:
      Figure 9. Select a Protocol Type
    6. On the Log Source parameters screen, you must complete all the device-specific details:
      Figure 10. Log Source Parameters
      Table 2. Log Source Parameter Descriptions
      Parameter Name Description Mandatory?
      Name The device name of the Edge (as appears in the Orchestrator). Yes
      Description A brief description that helps identify the appliance sending events. No
      Enabled This switch instructs QRadar to use this record to identify the log source, or not. Yes
      Groups Assigns the device to a log source group. A device can be part of multiple groups if required.

      Grouping can help parse events faster or manage group members in a uniform fashion.

      		 Yes
      Extension The associated DSM that helps to correctly format messages from the device and perform event mapping against logs. This should point to the SD-WAN Edge Extension. No
      Language The language of the logs. Defaults to English. Yes
      Target Event Collector Most of the QRadar deployments are distributed in nature. You can select the correct event collector that should accept Syslog messages from the Edges and parse them. Yes
      Credibility An administrative measure on a scale of from 0 to 10, It is a measure of the log source’s reliability. Yes
      Coalescing Events If this feature is enabled, the SIEM will aggregate similar activities into a single entry. No
      Store Event Payload If enabled, QRadar will record the payload of the Syslog messages. Typically enabled in production environments. No

      Once every parameter is set, you can progress to the next screen, selecting the Protocol Parameters. Encoding should be UTF-8, and the Log Source Identifier must be configured as the device name from the Orchestrator.

      Figure 11. Protocol Parameters

      Once all settings are set, select Finish. By selecting on the log source in the main screen, the Log Source Summary screen will open, and you can double-check the settings:

      Figure 12. Log Source Summary of an Edge
      Note: If you are using a distributed QRadar deployment (common in production environments), take note of the Target Event Collector setting, as you will set this up as a IPFIX and Syslog Target.

      Event collectors might have multiple network interfaces that might have various assigned roles. See this KB article if you need assistance understanding how your QRadar deployment is connected to your enterprise network fabric.

  4. How to Integrate VeloCloud Edge with QRadar: You have prepared QRadar to receive data from the VeloCloud Edge appliances. Now, you need to configure the QRadar Event Collectors as IPFIX and Syslog service endpoints. QRadar uses "Regular" network interfaces to collect log and flow data. If you are not sure what the interface IP address is, follow these steps:
    1. Go to Admin > System Configuration > System and License Management .
    2. In the Display field, select Systems.
    3. Select the Event Collector that you want to use as a target system.
    4. Open the Actions drop-down menu from the top menu bar.
    5. Select View and Manage System.
    6. Select the Network Interfaces tab in the new window.
      You will see a similar output for your node: Event Console node with two NICs, one used for OOB management, the regular NIC used for event and flow collection.
      Figure 13. Network Interfaces
  5. Now, you can switch from QRadar to the VeloCloud Orchestrator. Perform the following steps in the Orchestrator:
    1. On the Enterprise level, define the QRadar Flow Collectors as NetFlow/IPFIX Collectors.
    2. On the Edge or Profile level, enable the Edges to start the flow export process and send telemetry to the Flow Collectors defined in the previous step.
    3. While on the Edge or Edge Profile level, configure Event Collectors as Syslog servers.
    4. Enable the Edge Firewall or Enhanced Firewall Services logging.
    5. Define a Firewall Rule with logging enabled.